PasswordBox: Unbreakable Passwords That You Don’t Have to Remember

For most of us, our passwords are the keys to our entire digital lives. The bad news is that we’re losing the race to keep these passwords safe from hacker attacks. Making up a secure yet memorable password used to be a matter of picking a random word or two and throwing in a couple of numbers—say, “fid0bark5.” But today, hackers have so much computing power at their disposal that almost any password simple enough for a human to memorize can be decrypted in seconds.

To be truly secure, a password should be so long and so random that it couldn’t be deciphered even if the encrypted version stored by your bank or your e-mail provider fell into the hands of a hacker. But a password that lengthy is effectively impossible to keep in your head, let alone type in every time you login at a website. I’m talking about jumbles that sound like FedEx tracking numbers—for example, “lxgJSN4F6BvAK6HTUfMo” or “PASzYFweX8sbACYgB8hN,” just to use two 20-character strings that I generated randomly using Wolfram Alpha.

So what’s the good news? It’s that designers, engineers, and entrepreneurs have been thinking hard about the problem. And they’re finally coming up with solutions that can help average consumers put less of their precious brainpower toward remembering passwords.

This week I’ve been testing a new consumer-oriented service, PasswordBox, that can make up strong passwords and then remember them for you across the Web, whether you’re using Safari, Chrome, or Firefox, and whether you’re surfing from your PC or your mobile device. Once you’ve entered your existing online passwords into PasswordBox or created safer new ones, all you have to remember is one master password. Then, to log into a password-protected site, you just click on the site’s icon on the PasswordBox menu.

The service is both secure and extremely easy to use—a combination that’s been lacking in most previous password-management software. It has an unusual “legacy” feature that allows you to designate a friend or family member to take over you’re accounts in the event of your death. It works on iOS and Android phones, and because it’s cloud-based, any change in your passwords is reflected immediately on all of your devices. And perhaps best of all, it’s cheap ($1 per month, and free for life if you get five friends to sign up).

There are many other dedicated password management programs to choose from (see the table above); they’re all better than trying to memorize passwords on your own. But ultimately, even systems like PasswordBox can’t guarantee that your online data will always be safe, or that hackers will never find a way to drain your bank account, run up your credit card bill, or wipe your cell phone. For one thing, there’s still that master password: if someone else gets it, you’re back where you started.

To achieve the next level of security, many security pundits say, we’ll probably need to abandon passwords altogether and adopt two-factor authentication, biometric technology, or other schemes. Wired senior writer Mat Honan, the victim of a much-publicized 2012 hacker attack, says “The age of the password has come to an end; we just haven’t realized it yet.”

Be that as it may, there’s still going to be a long transition period. So it makes sense to investigate services like PasswordBox that can boost your protection, while easing the burden of remembering all your old-fashioned alphanumeric passwords.

In a way, you can think of the password crisis as a design failure. The sins for which consumers are constantly berated—picking short, easy-to-guess passwords; using the same password on multiple sites; keeping the same passwords for years; or, God forbid, writing down your passwords on paper and carrying them in your purse or wallet—seem unavoidable in a world where every service from your frequent-flyer account to your dentist’s appointment portal requires authentication. A 2007 study by Microsoft Research found that the average Web user had 25 accounts that required passwords, but had only 6 actual passwords, meaning that each password was being shared each across four or more sites. And that was before the mobile-apps explosion; the numbers would doubtless be even more disturbing today.

The reason it’s such a bad idea to reuse passwords is that one successful breach could allow a hacker to infiltrate all of your accounts. Browser makers have tried to help by adding features that offer to remember multiple passwords, but they only work for selected sites, and with the exception of Firefox, they don’t sync across your desktop and mobile devices. The system built by PasswordBox—a San Francisco- and Montreal-based startup that opened its system to the public this week after more than a year of private beta testing—can remember an arbitrary number of passwords and log you in using the right one each time you visit a secure site, whether you’re using your computer or your phone.

Here’s how it works. When you sign up, you download an extension for your browser and give PasswordBox a master password; it’s becomes the key to the virtual chest where all your other keys will be stored. Then you input the usernames and passwords you use at all your usual haunts on the Web. When I joined PasswordBox, I thought of about 20 sites right off the bat, from my bank to Amazon to my photo-sharing site (Flickr) to my heath plan’s billing portal.

Before they’re uploaded to PasswordBox’s cloud servers, the credentials for each account are encrypted on your computer using the AES-256 algorithm, which is approved by the NSA for encrypting top-secret documents. Your master password, which is used as part of the encryption key, never leaves your computer.

That’s called a “zero-knowledge” architecture. PasswordBox doesn’t get a copy of the key it would need to decrypt your stored credentials, so it couldn’t snoop on your data even if it wanted to. Neither could the NSA, for that matter, unless they’ve got quantum computers they aren’t telling us about. (The only downside of the zero-knowledge approach is that if you forget your master password, or if someone else obtains it, you’re screwed. So you do still have to remember one password—and you need to make it a strong one, and then be careful with it.)

PasswordBox designed its system to be simple and unobtrusive. In Chrome, the browser I use, the program takes over the new-tab screen and shows big icons that allow you to log in to any of your saved accounts with one click.

“We built a product that my mom can use,” says Daniel Robichaud, PasswordBox’s co-founder and CEO. “The only thing she knows is that there’s something that remembers her password, and she clicks on the big buttons, and it works.”

Once you install PasswordBox, the new-tab screen becomes your "start" screen, showing one-click login buttons for your most important sites.

Despite its simplicity, PasswordBox offers a few useful features that set it apart from other password managers. There’s a password generator that can suggest strong passwords, up to 26 characters long, to replace your flimsy old ones. There’s a feature that lets you temporarily share a password with a friend, family member, or coworker who’s also using PasswordBox (which sounds to me like an easy, though potentially illegal, way for families to split access to a single Netflix or HBO Go account).

The “Legacy” feature lets you choose who should have access to your accounts in case you’re obliterated by a meteorite; it involves a second master password that’s transferred from your computer to your caretaker’s computer after they present PasswordBox with a valid death certificate. Robichaud—who’s a graduate of Montreal’s HEC University, runs a Montreal venture firm called Neotech Capital, and has started three previous companies in the mobile and media markets—says the legacy feature has become PasswordBox’s best viral marketing mechanism, since the person you designate as your caretaker has to sign up for the service too.

PasswordBox also offers free apps for iOS and Android devices that sync up with your desktop browser. It’s got an identical start screen, and clicking on the buttons will bring up the same sites inside an in-app browser. If you do use the PasswordBox mobile app, it’s a good idea to protect your data from thieves by setting up a PIN for the app, or your phone, or both.

There are a couple of limitations to PasswordBox. Its system for recognizing login pages and supplying credentials doesn’t yet work with every site on the Web—but it’s up to about 95 percent, Robichaud says.

If you’re totally dependent on PasswordBox to remember your long, strong passwords, you won’t be able to get into your e-mail or other basic services from any computer other than your own. Unless, that is, you’ve got your smartphone with you—in which case you could look up your password in the PasswordBox app and type it manually. (But Robichaud says you should never do that on a public computer, since there’s a risk that keylogging software might be installed.)

And PasswordBox doesn’t work as a key to all your password-protected mobile apps, although the company is developing workarounds for that, such as the ability to copy a password into your device’s clipboard. (PasswordBox app can also launch certain third-party apps, such as Dropbox and Evernote, directly.)

Why is it safer, in the end, to put all your eggs in one basket by having a master password? It’s a legitimate question. The answer is that creating unique, strong passwords for every site you use, then handing them over to a management program like PasswordBox, is a vast improvement over what most people do, since the damage from a hacker attack at your bank or your credit-card company will then be contained to the site that was hacked. You do need to make sure that your master password is strong, and that you never, ever write it down. The overall improvement in security comes from having to memorize just one good password, so it’s less tempting to have six weak ones and keep reusing them.

It’s safe to say that most corporations will push their employees to adopt more secure passwords over time, and that they’ll shell out for one of the many “single sign-on” systems available from enterprise software providers to ensure compliance. But how large is the potential market for a consumer-oriented password management service, especially as giants like Apple soup up their own login systems? (Apple, for example, has said that the next version of OS X will include a cloud-based password management system called iCloud Keychain.)

Robichaud says he isn’t too worried about how his bootstrapped startup will compete with big players like Apple, Google, Facebook, and Microsoft. They’ll never agree to common identity standards, he predicts, thus leaving an opening for a smaller company to build a system that integrates with all of them.

“Our long-term objective is to become the single sign-on for consumers—the neutral party that identifies you everywhere,” Robichaud says. “People need to have strong passwords everywhere to be protected, and there is no way people can remember strong passwords. This is why I’m sure we are in the right market at the right time.”

Hey, Wade–LastPass is free for the desktop/laptop versions. $12/yr is to add mobile (phone, tablet) support.

http://www.xconomy.com/san-francisco Wade Roush

Noted and corrected! Thanks Erika.

Jorsh

Intuitive Password should be mentioned. A cloud based password manager, very nice user interface!

Joost

I am not comfortable with using a cloud based solutions. Various native KeePass clients are available for Linux, iOS, Android and legacy cellphones. KeePass supports two branches 1.x and 2.x. I chose the 1.x format and have been using KeePassX, KeePassJ2ME and MiniKeePass for a few years now. See http://keepass.info/download.html

Edie

I can’t remember my master password for my Password Box app. How do I get a new one?
Edie

Stephen Mugford

I love PWB but I have found a glitch. Suppose you
forget a password for a site. Maybe PWB is recalling it for you on your pc but
you need also to log in to the site via (say) your smartphone. So, you send a
request to the site and it sends one of those updater emails. You click on the
link and, quick as a flash, PWB leaps in, whacks in a new password and sends it
off. It also recalls it so you can log in fine from the PC. But since it didn’t
show you what it was inserting (and you cannot view it in PWB for security
reasons), you are still disabled on other devices. L Sure,
when you KNOW this is the issue it is easy to remember to turn PWB off for a
few minutes while you do the renewal business. But you need to know it. I
didn’t. I spent an age at one point with very helpful folk at AMAZON (on an
international line from Australia) as we patiently did a manual, remote fix
because this glitch was interfering every time I tried to reset the AMAZON
password … (They didn’t know either.) Then it happened with another couple of
sites. Hmm, had to be inside my browser configuration I decided. So, patiently,
I started turning off my Chrome extensions one by one and bingo—when PWB was
off the renewal process worked fine.

Underwriters and Partners

About Xperience

Here at Xperience—the consumer section of Xconomy—we explore the big picture about how technology is changing our lives, and guide you to the best tools for your lifestyle. Watch the video.